1. Field of the Invention
The present invention is related to anti-malware technology, and more particularly, to detection of unknown malware threats based on real-time automatic event and analysis of behavioral patterns of objects.
2. Description of the Related Art
The ongoing proliferation of malicious programs causes substantial damage to computers worldwide. The existing methodology of providing protection to stand-alone personal computers, as well as to corporate networks, centers primarily on dealing with already known computer threats.
The antivirus programs in existence since the late 1980s traditionally detect viruses and related hostile software in two ways: (1) Files are scanned for binary code strings matching those of the known viruses (“virus signatures”) and (2) Files are scanned for the known virus-like code (“heuristic scanning”). Other techniques involve either blocking virus-like behavior (“behavior blocking”) or checking files for some modifications (“integrity checking”).
U.S. Pat. No. 6,016,546 discloses a method of detecting the probability of the presence of any of a first set of known data traits in the data string by use of a second set of generic features and a third set of signatures where the generic features and the signatures are typical of the first set of data traits.
U.S. Pat. No. 6,338,141 discloses a method that may be performed on a stand-alone computer system in real time or on a networked machine. The method uses a collection of relational data to detect computer viruses in the computer files. This collection of relational data comprises various relational signature objects created from viruses. Computer files being checked for viruses are run through a process that creates relational signature objects. After the signature objects have been created as a result of file scan, they are checked against the collection of relational data, and, depending on the results, the file may be deemed infected and prohibited from running on the system.
However, this approach of dealing with viruses can identify a malicious object only after malicious object has already entered the computer system or one of the nodes on the network, and it is ineffective against unknown threats with new unknown signatures, or against computer viruses exhibiting unknown behavioral patterns.
Accordingly, there is a need in the art for a system and method for a more effective, proactive approach for detection of unknown computer threats before an unknown virus enters the computer system protected or computer network and becomes a problem.